1. Field of the Invention
The present invention relates to the field of network security, and more particularly to processes for determining whether two communicating network drivers are directly connected across a physical link.
2. Background of the Invention
Security in networks is becoming an increasingly important issue. Thus, more complete authentication and identification protocols are being developed, by which end users are required to authenticate themselves or identify themselves prior to being granted access to the network. Thus, network intermediate devices have been developed which have per port authentication processes, by which whenever an end station is connected to a port on the network device, the end station or the user of the end station is required to establish that it is authorized to access the balance of the network. See for example co-assigned, co-pending United States patent applications entitled METHOD AND APPARATUS FOR PROVIDING SECURITY IN A STAR NETWORK CONNECTION USING PUBLIC KEY CRYPTOGRAPHY invented by Vipin Kumar Jain, Danny M. Nessett and William Paul Sherer, filed Oct. 28, 1997, having application Ser. No. 08/955,869; and METHOD AND APPARATUS FOR PROVIDING SECURITY IN A STAR OR HUB NETWORK CONNECTION invented by Vipin Kumar Jain, Danny M. Nessett and William Paul Sherer, filed May 30, 1997, having application Ser. No. 08/866,818. According to these prior applications, whenever a network device detects an end station or other device connected to its port, an authentication routine is executed. The presence of an end station or other device is detected by monitoring the link beat or link active signaling mechanism of the physical layer of the network link being utilized. Upon detecting the presence of a system on a port, the network intermediate device is enabled to authenticate a user on the port prior to allowing it access to the balance of the network.
One problem with prior art authentication routines arises from the fact that networks are modular and the configuration of the networks cannot be known with certainty in advance of connecting a link to a network device having the authentication capabilities. Thus, if a repeater is coupled to the port of a network device, the network device may detect a link beat on its port and then execute an authentication routine to that port. However, the repeater will broadcast the authentication information to all devices to which it is coupled, and potentially throughout a wide area network. This will allow unauthorized users of the network to monitor the authentication processes and information used in the processes. With access to the processes and information, it can be possible to break the authentication code and gain unauthorized access to the network.
Accordingly, it is desirable in some secure environments to prevent the broadcast of the authentication or identification information beyond the network device and the end station to which they relate.
In one embodiment, the present invention provides for detection of a dedicated link between the intermediate system or other network device and the end system prior to exchanging authentication/identification information such as passwords, identifications, encryption information, commands or other security information in packets on the network, thereby ensuring that the information is seen only by the network device and the end system and by no one else. Embodiments of the invention provide a method for determining whether a network device has a direct connection to an end station across a link having a physical layer link active signaling mechanism or other physical layer signaling mechanism. The method includes sending a message via the network from the network device to the end station indicating initiation of a test of the physical layer link active signaling mechanism. The network device then attempts to detect participation by the end station in the test prior to proceeding with the authentication/identification processes, or other security process. One link active signaling mechanism is known as link beat signaling. A link beat is a series of link pulses that are sent continuously on a twisted pair system, in the absence of data traffic to verify productivity between an intermediate network device and an end system, as in the 10BaseT and 100BaseTX standards.
According to one aspect of the invention, the test of the physical layer link active signaling includes dropping the link active signaling at the network device and waiting for a period of time for a reply message from the end station indicating that the end station detected the loss of the link active signaling. If no reply message is received, or a reply of another type indicating that loss of the link active signaling has not been detected, is received, in the period, then the dropping and waiting process is repeated until a response is received or retry limit is reached. If the reply message is received in the period, then it is determined that the end station is directly connected.
According to another alternative, the test involves dropping the link active signaling at the end station, and monitoring the link at the network device for loss of the link active signaling from the end station. If loss of the link active signaling is detected, then it is determined that the end station is directly connected. If loss of the link active signaling is not detected, then it is determined that there may be another device on the link. Optionally, the network device retries initiating the test, until a participation is detected, or a retry limit is reached.
According to another aspect of the invention, the message used for initiating the test of the link active signaling mechanism includes an authentication element, such as encrypted data and/or a digital signature. Thus, only end stations which are capable of decrypting the message or authenticating the signature will respond appropriately.
Also, according to one option, when the process involves dropping the link active signaling at the network device, the reply message is encrypted, or provided with a digital signature, by the end station. Thus, the network device is capable of verifying the authenticity of the reply message.
One embodiment includes a method for authenticating an end station connected to a network device. The process involves sending an encrypted message via the network from the network device to the end station indicating initiation of a test of the physical layer link active signaling mechanism. Next, it is determined at the network device whether the end station participated in the test. If the end station participated in the test, then the network device executes an authentication or identification protocol at layer two (data link layer) or higher. The test of the physical layer link active signaling can take the form discussed above.
From the point of view of the end station, one embodiment includes receiving via the network from the network device the message that indicates initiation of a test of the physical layer link active signaling, and participating in the test. The step of participating, according to the alternative where the link active signaling is dropped at the network device, includes monitoring the link at the end station for loss of the link active signaling, and sending a reply to the network device if loss of the link active signaling is detected. In another alternative, the end station participates in the test by dropping the link active signaling for an interval of time, and then reactivating the link active signaling. After the end station participates in the test of the physical layer link active signaling to determine a direct connection, then it participates in an authentication algorithm to authenticate the user or the end station at a higher layer to the network device.
Accordingly, the present invention provides for detection of a dedicated link prior to execution of authentication or identification protocols in order to prevent broadcast of the authentication/identification information to unauthorized users. According to the first alternative, the network device requests the end station to pull the link beat down, and monitors the link beat thereafter. If the initiating device observes the link beat going down within some period of time, it knows that it is directly connected to the end station. The network device may optionally repeat this process a couple of times. But if the network device observes the link beat going down as expected, it believes that it has a direct connection to the end station. Otherwise, it is assumed that there is another device in between them.
According to another alternative, the network device notifies the end station that it is going to pull the link beat down and that the end station should monitor the link beat and respond with a success/failure message indicating whether it saw the link beat going down or not. If the network device doubts the validity/integrity of the response, it may require the responding device to sign the response or encrypt the response with the users private key using a public/private key cryptography. The network device then verifies the response using the users public key. The network device may optionally repeat this process a couple of times. If the response contains a success message indicating that the responding end station observed the link beat going down, the network device believes that it is directly connected to the end station. Otherwise, there may be some device in between.
Thus, a technique is provided by which enhanced network security is achieved by establishing direct connection between communicating devices prior to the exchanging of authentication/identification or other security information.
Other aspects and advantages of the present invention can be seen upon review of the figures, the detailed description and the claims which follow.